Defending against side-channel attacks - Part 2

Editor's Note: This article was originally presented at ESC Boston 2011.

Part One of this three-part series discussed a basic DPA attack against AES. Many different variations of DPA attacks exist, depending upon the type of algorithm and how it is being implemented. Part Two discusses a DPA attack against AES using EM emissions from the devices.

-------------------------------

3. EM analysis of mobile devices

3.1 Background As smart mobile devices become ubiquitous, many applications requiring a high degree of security are being ported to the devices. Banking, mobile payments, stock trading, and digital rights management of downloaded content are all examples of applications requiring secure connections and the use of cryptographic keys. As the examples in this section show, however, many mobile devices currently in use do not contain side-channel protections. Hence, these devices are often extremely vulnerable to side-channel attacks, often from data collection occurring several yards away.

3.2 EM collection setup The equipment used to collect the EM data is shown in Figure 9 below.

The emissions from the devices are captured with standard near field or far field antennas. The signals are sent to an Icom receiver where they are downconverted. The downconverted signals are then sent to the GNU digitizer, and the digitized signals are then processed on a standard workstation with the GNU software radio program and DPAWS software. The hardware for the entire setup can be purchased for under $2000.

3.3 EM analysis of an elliptic curve application on an iPod The first example is an elliptic curve application running on an iPod. The application was written using an open source cryptographic library. It performs a point multiplication over the NIST curve P-521. The application computed a straightforward point multiplication using the algorithm shown in Figure 10 below.

Figure 10: Straightforward implementation of an elliptic curve point multiplication

The emissions from the iPod were collected from several feet away using the far field antenna. The carrier frequency of the signal was 972.177 MHz. The acquisition bandwidth was 200 KHz, and the filtered bandwidth was 140 KHz. A snapshot of the collected data is shown in Figure 11 below.

Figure 11: Data collected from iPod touch from several feet away

The double and add are very different operations, and the difference is easy to see directly. The thinner downward spikes are the doubling operations, while the wider downward spikes are the additions. In the straightforward implementation shown in Figure 10, a double can be followed by either another double, or an addition. In contrast, an addition is always followed by a double. Hence, whenever there are two thin spikes in a row the corresponding bit of the secret multiplier is a zero. Similarly, a thin spike followed by a wide spike indicates the corresponding bit of the secret multiplier is a one. By analyzing the pattern of spikes, an attacker could extract the entire secret multiplier using a single trace.